CVE-2024-27982

Details

The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.

Affected Packages

Node.js

Windows 10 (1507)Windows 10 (1607) / Server 2016Windows 10 (1809) / Server 2019Windows 10 (1903)Windows 10 (1909)

Fixed in:

18.20.120.12.121.7.2

References

WEBhttps://hackerone.com/reports/2237099 WEBhttps://lists.debian.org/debian-lts-announce/2024/09/msg00029.html WEBhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDECX4BYZLMM4S4LALN4DPZ2HUTTPLKE/WEBhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QJAKA33NJCI3XLQS2K36DRCUMWIFFYVU/WEBhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X4M5XZZONMS4DAZE3CNDFDRSB6JQCL6Y/WEBhttps://security.netapp.com/advisory/ntap-20250418-0001/ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2024-27982

CVE-2024-27982

Details

Affected Packages

References

CVSS Analysis

Ecosystems(17)

Timeline